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Abstract. The squash operation, or the squashing model, is a useful mathematical 
tool for proving the security of quantum key distribution systems using practical (i.e., 
non-ideal) detectors. At the present, however, this method can only be applied to a 
limited class of detectors, such as the threshold detector of the Bennett-Brassard 1984 
type. In this paper we generalize this method to include multi-partite measurements, 
such that it can be applied to a wider class of detectors. We demonstrate the 
effectiveness of this generalization by applying it to the device-independent security 
proof of the Ekert 1991 protocol, and by improving the associated key generation 
rate. For proving this result we use two physical assumptions, namely, that quantum 
mechanics is valid, and that Alice’s and Bob’s detectors are memoryless. 


1. Introduction 

Quantum key distribution (QKD) [1] is a technique for distributing information- 
theoretically secure secret keys between two parties connected by a quantum channel. 
Beginning from the Bennett-Brassard 1984 (BB84) |1], and the Ekert 1991 protocols 
[2], there is now a variety of protocols proposed, e.g., [21IH El EllI] • Several different 
approaches have been advanced for proving the security of QKD systems using the ideal 
qubit detectors [El El ED] . 

The squash operation, or the squashing model, is a useful mathematical tool for 
proving the security of QKD systems using practical (i.e., non-ideal) detectors [Tl] E2]. 
Once its existence is proved for a given practical detector, one can incorporate it into 
a conventional type of security proof where receivers have ideal qubit detectors, and 
automatically obtains a new proof that remains valid even if the practical detectors are 
used. The squash operation literally squashes an incoming state to a qubit, and also has 
a property that, when followed by qubit measurements, it acts exactly the same way as 
the practical detector. In security proofs, there is no loss of generality in supposing that 

f Present address: Advanced Data Solutions, Corporate Marketing Department, Teikoku Data Bank, 
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the squash operation is conducted by the attacker, and as the result of that, the security 
of a protocol using practical detectors is reduced to that using ideal qubit detectors. 

A type of squash operation was hrst assumed in the security proof by Gottesman et 
al. [13], however, its existence was only conjectured, no proof was given. The hrst proof 
was given by one of the present authors and Tamaki HD, for the case of the threshold 
detector of the BB84 type measurement. This result was also verihed independently by 
Beaudry, Moroder, and Liitkenhaus [12]. There were also efforts toward constructing 
squash operations for a wider class of practical detectors. For example, Beaudry et al. 
gave an explicit condition for the existence of a squash operation, and used it to show 
positive and negative results on the six-state protocol with threshold detectors na. 
Later their techniques were rehned further and applied to other types of measurement 
devices [H]. In Ref. [15], one of the present authors discussed whether symmetries of 
a given detector can imply the existence of the squash operation corresponding to it, 
and also showed that the above result on the BB84 type measurement is valid even for 
multi-mode cases. In addition to these uses in quantum cryptography, Moroder et al. 
applied the squash operation to entanglement verihcation with realistic measurement 
devices [I6] . 

Despite all these efforts, however, the method of the squash operation is still 
applicable only to a limited class of measurement devices. In fact, even if we 
restrict ourselves to qubit measurements of the BB84 type, we can easily construct 
counterexamples to its existence (see Lemma [3] in Section [3]). 

In this paper, we demonstrate that the situation changes drastically by considering 
a generalized case where multi-partite measurements are involved. That is, while all 
previous studies on the squash operation were concerned only with detectors used 
by a single player, we here consider a generalization including global measurements 
performed jointly by two players or more, such as the Clauser-Horne-Shimony-Holt 
(CHSH) measurement [I^, used e.g. in the E91 protocol. This approach allows us to 
relax mathematical conditions required for the existence of the squash operation, such 
that they can be fulhlled for a wider class of detectors. Perhaps this is most easily 
illustrated by considering the CHSH measurement as an example. If one regards the 
CHSH measurement as a mixture of local x, z-basis measurements performed by Alice 
and Bob, there are two basis for each player, which together yield four conditions that the 
squash operation has to satisfy. On the contrary, if one regards the same measurement 
as one global measurement, there is no basis choice, and thus only one condition is 
required for the existence of the squash operation. 

As an evidence of the effectiveness of this generalization, we apply it to the device¬ 
independent security analysis of the E91 protocol, and improve the key generation rate 
known so far: The security of the E91 protocol using arbitrary detectors can be reduced 
to that of the BB84 protocol using single photon detectors, and that allows us to prove 
the asymptotic key generation rate R = 1 — h{{2 -|- \/2)p) — fech{p), with p being 
the quantum error rate (QBER), h{p) the binary entropy, and fee the efficiency of 
error correction. This rate R is higher than in the previous literature on the device- 
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independent E91 protocol [IBl dSl IMl El [221123], except the one assuming collective 
attacks, a very limited attack scenario [2l] (see Figure H]). For example, when the 
optimal error correcting code with fee = 1 is available, one can generate the secret key 
with the QBFR up to 5.4%. 

For obtaining this result, we use the same physical assumptions as in Ref. |19j . 
Namely, we assume that quantum mechanics is valid, and that Alice’s and Bob’s 
detectors are memoryless, i.e., different detectors operate on different Hilbert spaces. In 
comparison with the other existing literature, these assumptions are weaker than in Ref. 
[23], where collective attacks are assumed, but stronger than in Refs. [2ni|2ll[22l|23], 
where detectors are not necessarily memoryless. They are also stronger than in Ref. 
[Is] , which does not assume quantum mechanics. 

Our security proof of the E91 protocol proceeds as follows. In the hrst step, 
we convert the E91 protocol using arbitrary detectors into a simplihed version where 
uncharacterized qubit detectors are used. For this purpose we borrow the technique used 
in Ref. [23], and the result is that, without loss of security, we may restrict ourselves to 
a protocol where Alice and Bob use qubit detectors, parameterized by complex numbers 
a, {3. In the next step, we eliminate the a, /9-dependence by applying a bipartite squash 
operation which is designed such that the CHSH measurement, jointly performed 
by Alice and Bob, is transformed to the phase error measurement of the BB84 type, 
also jointly performed by the two players. is also designed so that it leaves Alice’s 
sifted-key measurement unchanged. As a consequence, the original E91 protocol is 
transformed to the BB84 protocol, which can readily be shown secure by referring to 
the existing literature, e.g., [H |25l (26] l27] . 

The crucial observation here is that the minimum entropy of Alice’s sifted key 
depends only on the results of Alice’s sifted-key measurement, and of the CHSH 
measurements on sample pulses. No other measurements affect the sifted key as they 
are performed locally and remotely from it. Hence for proving the security of the E91 
protocol, it suffices to hnd a squash operation that properly transforms the CHSH and 
Alice’s sifted-key measurement. While the previous formulation based on the one-partite 
squash operation demands four conditions, corresponding to Alice’s and Bob’s choices 
of X, z basis, which cannot be fulhlled in general, the bipartite generalization demands 
only two. This is why this new setting realizes the security proofs that were not possible 
previously. 

2. Review of concepts regarding quantum key distribution and the security 

In this section, we clarify the notation and concepts to be used in this paper. In 
particular, we explain the security criteria of QKD protocols, and review the previous 
method of the squash operation, restricted to one-partite measurement. 
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For the sake of simplicity, we restrict ourselves to entanglement-based QKD protocols. 
Also for the sake of simplicity, we assume that the secret key length is constant; i.e., we 
only consider the type of protocols where Alice and Bob decide whether the protocol is 
aborted or not, by checking the measurement results of randomly chosen sample pulses, 
and when it continues, the generated secret key has a hxed bit length 1. Such protocols 
can typically be described as follows. 

Procotol 1 (PRl): Typical entanglement-based protocol using detector M^. 

(i) (Quantum communication) Eve generates quantum state and sends its 

sub-states in and each consisting of N tensor products of a Hilbert 
space 'H^, to Alice and Bob, respectively. 

(ii) (Basis choice) For each pulse i G {1,... ,N}, Alice (resp.. Bob) chooses bases 
CA,i e {z,x} (resp., CB,i G {z,x}). 

(iii) (Quantum measurement) Alice (resp.. Bob) measures them using operators 

Mf' {rA,i\cA,i) (resp., and record the results rA,i (resp., r^,*). 

(iv) (Determining whether continuing the protocol or not) Alice and Bob 
communicate through the public channel, and decides sample pulses Jsmp C 
{!,..., iV}, and sifted key pulses Isn C {1,..., N} in such a way that IsnipH/sif = 

0. By checking the measurement results of sample pulses /smp, they decide 
whether they continue or abort the protocol. 

If they continue, Alice lets her measurement results of sifted key pulses Isn be 
her sifted key u. 

(v) (Alice’s privacy amplihcation) Alice randomly selects hash function /pa and 
announces it to Bob. She then inputs her sifted key u to /pa and obtains her 
secret key k = /pa('w) of / bits, and stores it in . 

(vi) (Bob’s post-processing) Alice calculates syndrome of her sifted key n, and 
announces it to Bob. Bob lets his measurement results of sifted key pulses 
be his sifted key u'. He corrects errors in u' using syndrome, and by inputting 
the outcome to a hash function /pa, he obtains his secret key. 

In what follows, we denote all data announced in the public channel by a random 
variable V, Alice’s secret key by K, and the hnal state corresponding to the initial state 
by . Eve eavesdrops information regarding the secret key K by referring to V and 
measuring her sub-state in The security against this attack is usually analyzed by 
dehning the ideal state, and then evaluating how close it is with the actual state. It is 
customary to dehne the ideal state to be where Alice’s secret key K seen from Eve is 
the perfectly uniform random source, i.e., 0 p^^ with = ‘2,~^Y^k=o l^)(^l- 

is also customary to use the trace distance for evaluating the closeness with the actual 
state. 





Multi-partite squash operation and DIQKD 


5 


Definition 1 We say that a given QKD protocol is e-secure if the following relation 
holds for an arbitrary attack by Eve: 

d,{p^nVE):=\\p^^^-p^,^®p^%<e. (1) 

As shown in Ref. [28], this definition of security satisfies universal composability. 

As emphasized by Renner [25], in evaluating the trace distance di{p^^^\VE), it 
is useful to consider the smooth minimum entropy H ^-^ {p^^^\VE) of sifted key U, 
because it allows the use of mathematical tools similar to those of the Shannon theory. 
This property is sufficient for bounding the trace distance from above, i.e.. 

Lemma 1 If function /pay for privacy amplification is randomly chosen from a 
universal function family f23f, then for any (sub-normalized) sifted key state p^^^, 

di{p^^^\VE) = < 2e' + . (2) 

Here we denoted hash function /pa by /pay in order to emphasize that it is determined 
uniquely by the public communication V. We note that there is a useful generalization 
for this lemma using dual universal 2 functions |30l[3T|, which allows the use of practically 
useful hash functions [32] . 

According to this lemma, once a lower bound on H((^„ {p^^^\VE) is obtained for a 
given protocol, its security follows immediately. For example, if one can somehow prove 
that 

\VE) >1 + 2 log.,i + 6 (3) 

holds for an arbitrary attack by Eve, then Lemma [T] guarantees that condition ([T]) of 
Definition [H and thus the protocol is e-secure. 

As we restrict ourselves to entanglement-based protocols in this paper, once Eve 
fixes the initial state p^^^, the state p^"^^ describing Alice’s sifted key and Eve is 
uniquely determined, as well as p^^^ describing Alice’s secret key and Eve. This fact 
can be used to simplify the notation to some extent. Define a (not necessarily trace 
preserving) completely positive map Hgif for describing Alice’s sifted key generation, Hpa 
for her privacy amplification, and Hgec = Hpa o Hgif for secret key generation. Then 
can be denoted as p^^^ = Wecip^^^)- Here we use a convention 

that pF^='*''T = pK,v=v',E _ g protocol is aborted and no secret key is generated 

(i.e., v' denotes a record of public communication that includes “abort”). We also use 
the notations, pH^^, Hgec,*, Hgif^*, with symbol * specifying the protocol or game 

used. For example, Pp^f is the final state generated by Protocol 1 (PRl) from the 
initial state p^^^, i.e., p^^f = ngec,PRi(p^^^). 

In these notations, condition ([T]) of Definition [1] can be rewritten as 

niaxdi(ngec(p^^®)|RE) < £. (4) 

Similarly, eq. ([3]), which is a sufficient condition for (0]), can be rewritten as 

min VB) > I + 21og., i + 6. 

pABE g 


( 5 ) 
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2.2. Previous method using squash operations 

As mentioned in Introduction, the squash operation is a mathematical tool that 
translates the security of a given QKD system using practical detectors into that of 
qubit-based protocol. In this subsection we review this method, based on the results 
of Ref. P. For the sake of simplicity, we will continue to restrict ourselves to 
entanglement-based protocols, although the method presented below can also be applied 
to prepare-and-measure protocols. 

Consider a QKD system where Alice’s and Bob’s detectors are not necessarily ideal 
qubit detectors, and denote the Hilbert space of their input by T-L^. For instance, for 
the threshold detector (see, e.g.. Ref. mi), w" is the Fock space representing multi¬ 
photons. For the sake of simplicity, we will further assume that measurement basis c 
is chosen from {x,z}, and that the measurement outcome is r G {±1}. We denote the 
corresponding POVM in by M(r|c). For later convenience, we also dehne operator 
M(c) := M(-|-l|c) —M(—l|c). In this setting, the squash operation is dehned as follows. 

Definition 2 (1-partite squash operation) A squash operation is a quantum 
operation (i.e., a trace-preserving and completely positive (TPCP) map) F : PP^, 


satisfying, 


M{x) = F\X), 
M{z)=F^{Z), 


( 6 ) 

(7) 


where X, Z denote the Pauli matrices of the x, z basis. 

Here, F^ denotes the Hermitian conjugate of F, i.e., the operator satisfying ii{MF{p)) = 
tr(Fl(M)/9) for arbitrary state p and measurement M. 

Dehnition |2] demands that measuring any state with an arbitrary basis c G {x, z} 
using M(c) = M(-|-l|c) — M(—l|c) is equivalent to performing squash operation F on 
the state and then measuring the resulting qubit state with the Pauli operators X, Z. 
If such operation F exists, all measurements in Protocol 1 performed by Alice and Bob 
using M(r|c) (c G {X,Z}) can be decomposed into F followed by the normal qubit 
measurements using X, Z. In security proofs, there is no loss of generality in supposing 
that F is conducted by the attacker, so the security of Protocol 1 above can be reduced 
to that of the following protocol m- 


Protocol 2 (PR2): A qubit-based protocol. 

Same as Protocol 1 except 

(i) Eve generates quantum state p^^^, where and consists of qubit spaces. 
Then she sends its sub-states in and to Alice and Bob, respectively, 
(hi) Alice (Bob) measures pulse i using the Pauli operators X^, Z^ (resp., X^, Z^) 
corresponding to basis = x,z {cB,i = x,z), and record the results 
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In terms of the trace distance and the smooth minimum entropy, we have the 
following relations. 


Lemma 2 Let and Ppp 2 ^^e final states generated as a result of Protocol 1 

and 2, respectively, then we have 

ma.xdi{ppXf\VE) < ma.xdi(ppXfi\VE). ( 8 ) 

pABE pABE ^ 

Similarly, let Pp^fi and Pppfi be the sifted-key states generated by Protocol 1 and 2, 
respectively, then 


niin HrniniPpm) > 


i(p- 


UVE\ 
PR2 ) 


(9) 


In Appendix B, we give a formal proof of this lemma. 

According to Lemma [H once the squash operation E is shown to exist for a given 
detector M(r|c), any security proof of a qubit-based protocol remains valid even when 
the qubit detectors are replaced with M(r|c). In other words, once E is known to exist 
for a practical detector M(r|c), it always suffices to consider the simplihed case where 
the ideal qubit detectors are used; all analyses related with M(r|c) become unnecessary. 
This is the advantage of considering the squash operation. 


3. Multi-partite squash operations 


3.1. Motivation 


As we have seen in the previous section, once the squash operation E is shown to exist 
for a practical detector M(r|c), it serves as a very useful tool for analyzing protocols 
involving M(r|c). At the present, however, E is shown to exist for a relatively limited 
class of detectors, e.g., the threshold detector of the BB84 type measurement [m ESI Eg, 
and of the six-state measurement with a passive basis choice [12], and a few others |14j . 
In fact, even if we restrict ourselves to qubit measurements of the BB84 type, we can 
easily construct counterexamples of E: 


Lemma 3 (limitation of the 1-partite sqnash operation for a qnbit) In the no¬ 
tation of Definition\E, let M{x) = X^, M{z) = Z with being the generalized X oper¬ 
ator, defined in Appendix A If a ^ i, —i, there exists no squash operation E satisfying 
conditions (®, 0. 


This can be verihed readily by checking conditions (3a), (3b), (3c) of Ref. [T2] . 
The lemma says that even if one uses perfectly sensitive qubit detectors Xa, Z, the 
corresponding E does not exist unless the alignment of the x, z axes (corresponding to 
a) is also perfect^. Hence one cannot hope to apply the method of the 1-partite squash 
operation to general detectors and reduce the security proof to qubit spaces. Note that 


§ It should be noted that the lemma may not be true if the x, z measurements are embedded in more 
than two dimensions, or if their sensitivities are not perfect. In fact this is why F exists for many 
practical cases listed above the lemma. 
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this difficulty applies to any protocol using measurements of the BB84 type, including 
the E91 protocol. 

In the rest of this paper, we show that this situation changes drastically by 
considering a generalized setting where multi-partite measurements are involved. That 
is, while all previous studies of the squash operation were concerned with a detector used 
by a single player, we here consider a generalization including measurements performed 
jointly by two players or more, such as the Bell and the CHSH measurements. This 
approach allows us to relax mathematical conditions required for the existence of the 
squash operation, such that they can be fulfilled for a wider class of measurements. 

3.2. Definition 

We write down the definition for the multi-partite case. This is a simple generalization 
of the one-partite squash operation of the previous section. Consider a situation where 
n players Pi,... ,Pn agree on a basis choice c and perform (possibly non-local) u-partite 
measurements in the Hibert state (8) • • • 0 using operator M(r|c) to obtain 
an outcome r. Here the basis choice c can be a list (ci,...,c„) consisting of Pj’s 
choices Cj, but is not limited to this type. More generally, it may also specify non-local 
measurements, such as the CHSH measurement, denoted by c = CHSH. We assume 
that c is chosen from a predetermined set C. We also assume there are measurement 
operators m(r|c) defined for the same variables r, c, which operate in n-qubit spaces 
P^^ 0 • • • 0^^". In this setting, the multi-partite squash operation is defined as follows. 

Definition 3 (n-partite squash operation) The squash operation for n-partite 
measurements M{r\c) and m(r|c) is a quantum operation F : P^^ 0 ••• 0 —)■ 

0 • • • 0 which satisfies an equality 

M(r|c) = F\m{r\c)) (10) 

or an inequality 

M{r\c) > F\m{r\c)) (11) 

for each basis choice c E C. 

In the following sections, we show that this generalized approach can be used to 
prove the security of the E91 protocol using any detectors. This is an evidence that our 
approach indeed allows to apply the squash operation to a wider class of protocols or 
detectors than previously possible, including the counterexample given in Lemma [3l 

4. Application of bipartite squash operation: device-independent QKD 
protocol 

In order to demonstrate the effectiveness of the multi-partite squash operation, 
introduced in the previous section, we apply it to the device-independent security proof 
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of the E91 protocol using arbitrary detectors, and obtain the device-independent key 
generation rate i? = 1 — h ((2 -|- \/2)p) — fech{p), improved upon those obtained in the 
previous literature. 

4.I. Outline of the proof 

In this paper we only consider the types of post-processing algorithms which execute bit 
error correction and privacy amplihcation as independent processes and do not exploit 
their correlations. Hence the security analysis amounts to evaluating the minimum 
entropy associated with the joint state U of Alice’s sifted key and 

Eve’s quantum state VE, conditioned on the result of the CHSH test performed by Alice 
and Bob. Then by assuming that Alice’s and Bob’s detectors are memoryless, we can 
neglect back reactions from Bob’s sifted key measurement (the 2 ;'-basis measurement), 
since it does not affect to be evaluated. Hence it suffices to analyze how 

pUVE pgPaves under Alice’s sifted-key measurement and the CHSH measurement, both 
consisting only of the x- and the z-basis measurements by Alice and Bob. 


4 . 1 . 1 . Reduction to the qubit-based E91 protocol with uncharacterized X measurement 
The hrst crucial step is to reduce this evaluation of p^^^ to the case where only 
(generalized) qubit detectors are used. Borrowing the argument of Ref. [2lj, we can 
actually assume, without loss of generality, that input pulses to Alice and Bob are all 
qubits, and that they measure them using the generalized x, z measurements in qubit 
space, dehned bj 


I ® “ 1 , XS = 

a* 0 



Z^ = Z 


B 



( 12 ) 


with a, ft being complex numbers satisfying |q;| = |/3| = 1. Parameters a and jd are 
chosen arbitrary by Eve and may vary for different qubit pairs i. Accordingly, we may 
assume that Alice’s sifted-key measurement and the CHSH measurement are 


Map{cA = z) = Z^ ® I'®, (13) 

M„,^(CHSH) = i(Z^ (g) (g) 0 (g) X|). (14) 


The details of this reduction to qubit spaces are presented in Lemma [6] and in 
Appendix D In short, it suffices to evaluate Hm^T, (p^^^\VE), supposing that Alice and 


Bob jointly perform qubit-pair measurements flT^ . flTT)) . with a, fd chosen arbitrarily by 
Eve. 


4.1.2. Bipartite squash operation The second step is to eliminate uncontrollable 
parameters a, jd, chosen by Eve, by a security reduction using the squash operation. As 


II Throughout the paper, we represent the Pauli matrices in the j/-basis. For details see [Appendix A[ 





Multi-partite squash operation and DIQKD 


10 


we will prove in Theorem |2] of Section EH there exists a bipartite squash operation 
satisfying 

Flf, (l+iV2-l)X^^X^^ > 2M„,^(CHSH), 

where X^ and X^ are the usual Pauli operators: X^ = XF, X^ = XF^ with i = y/—l 
being the imaginary unit. By using this Fa^p, the evaluation of with 

qubit-pair measurement operators being ([13]), ffTT|) is reduced to the analysis of the 
BB84 protocol using sifted-key measurement ® and the phase error measurement 
X^(ZX^. 

As a result, the security of the device-independent E91 protocol is reduced to that 
of the BB84 protocol, which has been fully analyzed in the existing literature, e.g., 
[SI [25l [26l [27| . These are the main ideas of our security proof. 

4-2. Description of the Ekert 1991 protocol 
We consider the following version of the E91 protocol. 

4.2.1. Assumptions We use two assumptions for the security proof in the subsequent 
sections. The first assumption is that quantum mechanics is valid. The second 
assumption is for detectors: Recall that we only consider the type of protocol where 
Eve prepares the initial state hrst, and Alice and Bob measure it using N detectors 
respectively, with N denoting the number of raw key bits. In this setting we assume 
that these 2N detectors are memoryless, or uncorrelated with each other. 

The precise description of the second condition is as follows. Let us use variable 
P G {A, 5} to denote players Alice and Bob. We assume that the Hilbert space 
representing player P’s incoming state is clustered as = Pf 0 • • • ® and that 
detector i G {!,..., N} operates only in subspace "Hf. In other words, we assume that 
the Ath detector of player P takes the form 

if 0 • • • 0 I^_i 0 Mf (r|c) 0 0 • • • 0 if, (15) 

where c denotes the basis choice, r G {±1} the output, and If the identity operator of 
Pf. We emphasize here that Mf with different P or i may be different from each other. 
In what follows we consider the situation where this conditions is guaranteed somehow, 
e.g., by shielding or separating detectors from each other. 

We also restrict ourselves to the case where each detector Mf always outputs value 
r G {±1}, and there is no inconclusive events, i.e., 

Mf(+l|c) + Mf(-l|c) =lf for Vc. (16) 

Note this is not a new physical assumption, since any Mf can be transformed to this 
type, e.g., by making it a rule that player P assigns a random number ±1 to output c 
when detector i says inconclusive. 
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E91 Protocol, or Game 0 (GO): 

uncharacterized detectors. 


The E91 protocol with memoryless 


(i) (Quantum communication) Eve generates N : = 


n 


1 -5 V 1 


<1 


photon pairs 


and sends them to Alice and Bob, where 5 > 0 and q <1/2. 

(ii) (Basis choice) 

(a) (Choosing sample and sifted key pulse candidates) On each pulse i G 
{1,...,A^}, Alice labels bA,i G {smp,sif} (denoting sample or sifted key 
candidate) with probabilities 1 — q,q. Bob also labels bs^i G {smp,sif} in 
the same manner. 

(b) (Alice’s basis choices) Alice does the following for each r. If bA,i = sif, let 
the basis CA,i = z. If bA,i = smp, let CA,i = x,z with probability 1/2. 

(c) (Bob’s basis choice) Bob does the following for each i: If bB,i = sif, let the 
basis CB,i = z'. If bB,i = smp, let ca^i = x,z with probability 1/2. 

iii) (Quantum measurement) Alice and Bob measure pulses using operators 
Mf' {cA,i) and {cb,/)- The results are recorded as {rA,i,rB,i) G {±1}^. 

iv) (Determining whether continuing the protocol or not) 

(a) Selection of sample and sifted key pulses: 

1. Alice and Bob announce all their labels bA,i,bB,i and basis choices 

CA,i,CB,i {i = l,...,N). 

/ 

q 


2. Alice randomly selects I, 


smp 


:= n 


q 


pulses (resp., n pulses) 


satisfying bA,i = = smp (resp., bA,i = = sif), and registers 

those i as sample pulses Amp C {1,..., A^} (resp., Aif c {i,...,iV}). 
If it is found that there are less than enough pulses satisfying the 
conditions, the protocol is aborted. 

(b) Verihcation of the CHSH inequality: 

1. Alice reveals {rA,i \ i G Amp} to Bob. 


2. Bob calculates 


A = 


‘^smp 






where 


t{cA, Cb) : = 


1 if = Cs = x, 
0 otherwise. 


(17) 


(18) 


3. If S is less than a given predetermined threshold S'o, Bob announces 
that the protocol is aborted. 

(c) Generation of the sifted key: 

Alice lets her measurement results of sifted key pulses Aif be sifted key n, 
and stores it in . 
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(v) (Alice’s post-processing) Alice calculates syndrome Usyn of her sifted key for error 
correction, and announces it to Bob. We assume that the syndrome length |nsyn| 
satisfy |nsyn| < kyn- 

Alice also selects a universal hash function fcor randomly with output length 
|/cor(')l = riog(l/^cor)l, and announces fcor along with the hash value fcoriu) of 
sifted key u. 

Alice selects another universal hash function /p^ with output length I randomly, 
calculates secret key k = fpa.{u), and stores it in . 

(vi) (Bob’s post-processing) 

Bob measures his sifted key pulses in the z' basis to obtain his sifted key, and 
obtains corrected key u' by performing bit error correction using syndrome Usyn- 
Then he verifies its correctness by checking if the hash value fcor{u') of Bob’s 
sifted key equals fcoriu) sent from Alice. If they differ the protocol is aborted; 
otherwise he obtains secret key of I bits by applying a privacy amplihcation on 
the sifted key. 


f.2.3. Remarks on the protocol besides security In Steps 2 and 4(a), Alice and Bob 
choose sample and sifted key pulses randomly, and if they fail to assign enough 
numbers of pulses, the protocol is aborted. This abortion due to pulse selections 
occurs probabilistically and independently of Eve’s choice of the initial state . 
This probability can be bounded by using the Chernoff bound (see, e.g., [33], Theorem 
4.5) as 

Pr[abort in Step 4(a)] < 26“*-'^'^^^/^. (19) 

Parameter S', calculated in Step 3 (b), corresponds to the average of outcomes of 
the CHSH measurements. That is, according to constructions of Step 2 and 3, obtaining 
S is equivalent to measuring each sample pulse i G Jsmp using 

® M^{z) + Mf{z) ® Mf (x) 

+ Mf{x) ® Mf{z) - Mf{x) ® Mf (x)) 

with the outcome Sj, and then calculating the average S = (/smp)~^ Sie/smp what 

follows, we will often call S the CHSH parameter. 

The uses of hash value fcor{u) in Steps 5 and 6 guarantees that this protocol is 
£cor-correct (see, e.g.. Ref. mm- 

4-3. Security of the above protocol 

Theorem 1 The E91 protocol above is e-secure. That is, let be the final state 

generated by the E91 Protocol (or Game 0) on the input of initial state p^^^, consisting 
of secret key K, public communication V, and Eve’s sub-state in "H®. Then we have 

d^{p^,Y\VE)<s, ( 20 ) 
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when the secret key length I is chosen to be 


I = n ^ - h ^(1 + y/2) + /i' 

1 3 

2/gjnp Isyn 2 log 2 

^cor ^ 


with 5S and /x defined by 


^ (4V3(1 . VI) ^ ^ 


^ In- 


^smp ^ 


( 21 ) 


( 22 ) 


where h{p) denotes the binary entropy: h{p) = —p\og 2 P — (1 — p) log 2 (l — p). 


This theorem can be obtained by using the leftover hashing lemma (Lemma [T]), and 
letting e' = e/3 in the following lemma. 

Lemma 4 Let p^gi^ be the state generated as a result of Steps 1 through 4 of the E91 
Protocol (or Game 0) on the input of initial state , and U be the random variable 
denoting the sifted key. Then Peqi^ satisfies, for an arbitrary value of < s' < 1, we 
have 


> n (^1 - h (^(1 + ^/2) - (^0 - 5^) ) + /i 


where 


2 ^smp Isyn I0S2 ) 

^COT 


6 S = 


p = 


48 , 2 

‘'smp ^ 


I n T ^smp ^smp ^ ^ 


nL 


L 


s' 


■'smp ‘'smp 

The proof of this lemma is given in the next section. 


(23) 

(24) 


(25) 

(26) 


f-f- Key generation rate for the qubit-based implementation 

In the ideal implementation of Ekert 1991 protocol, the entanglement source always 
generates the Bell state 

|4'+‘) := ^ (|0.)''|0.y + |U)'‘|U.)®) , (27) 

which is then sent to Alice and Bob, and measured using (presumable) single photon 
detectors. In this setting, it is customary to rotate Bob’s x, z bases by 45 degrees with 
respect to those of Alice’s, such that S attains its maximum value 2\/2 when channels 
are noiseless. It is also customary to choose Bob’s z' basis to be aligned with Alice’s 










Multi-partite squash operation and DIQKD 


14 


R 



Figure 1. (Color online) Asymptotic key generation rates R versus quantum bit error 
rate p. The bold black curve is our device-independent (DI) key generation rate for the 
E91 protocol using memoryless detectors. The orange, red and blue curves are those 
obtained in Ref. [24] (DI against collective attacks), Ref. [1^ (DI using memoryless 
detectors), and Refs. [221123] (fully DI), respectively. The gray curve is the rate of the 
usual device-dependent scenario using the Pauli measurements and one-way classical 
communications. We let the bit error correction efficiency fee = 1 for all the cases. 
Note that we achieve a higher rate throughout the domain than those under the same 
(red, [19]) or a severer (blue, [22l|23]) scenarios. 


basis, so that their sifted keys match in the noiseless case. When channels are noisy, 
e.g, the depolarizing channels with error rate p, the average of S is 

and the bit error rate psif of sifted key equals p. 



Corollary 1 In the above setting using single photon detectors, the asymptotic key 
generation rate R := \imn^oon/N satisfies 

R=l-h (^{2 + ^/2)p) - Uhip) , (29) 

where fee is the efficiency of error correction, i.e., asymptotic syndrome length is 

Isyn ~ /ech(p). 

Proof: For example, by choosing probability q of basis choices as q = e > 0, we 

have p,' —0, fimp/N —f 0, n/N —)■ 1 for n —)■ oo, and obtain the lemma. ■ 

Note that this rate R is improved upon those in the previous literature on the 
device-independent E91 protocol [IHl EH] EHl EH E2l E3], except for the one assuming 
collective attacks |2l] (see Figured]). 
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The rest of this paper is devoted to the proof of Lemma 01 Our goal is to obtain a lower 
bound of with a sifted key state generated by Alice and Bob in 


Procotol 1, the E91 protocol. As the direct analysis of such a practical system is usually 


cumbersome, we will use an indirect approach. We convert the protocol to simpler 
procedures called games, which are dehned as quantum operation which output a hnal 


state p^^^ on the input of initial state p^^^. We use this terminology because some 


UVE 


of the converted procedures can no longer be considered as a communication protocol; 
e.g., in Games 1,..., 4 below, a substitute player Charlie alone plays both of Alice’s and 
Bob’s parts, and there is no communication. 

In the proof below, we start with the E91 protocol, also called Game 0, and repeat 
converting it to Games 1 , 2 ,..., until we reach Game n, which is simple enough to 
analyze directly. Games i will also be abbreviated as Gi in what follows. In order to 
be able to bound the minimum entropy H^^^{p^g^^\VE) of Game 0 by those of other 
games, we design the conversions such that the minimum entropy of Game i is not larger 
than that of the preceding game. Game i — 1, possibly with a constant offset term h > 0. 

That is, we design conversions from Game i — 1 to i such that 



(30) 


is satished for all 1 < i < n. Here PqY^ denotes the sifted key state generated as the 


result of Game i, on the input of p^^^, i.e., PqY^ = In this setting, it 

is immediate that the minimum entropy of the original protocol is bounded by that of 
Game n as 



n 



(31) 


i=l 


Hence if a lower bound is obtained for the hnal Game n, then that of the E91 protocol 


follows automatically. This type of situation is often described as ‘the security of the 
original protocol is reduced to that of Game n\ We note that this approach using game 
transformations is not essentially new, and is implicit in the previous literature, such as 


[251 [8]. 


In our proof below. Game 0 is the E91 protocol (Protocol 1), and we convert it to 
simpler Games i (i > 1) satisfying relation fl30|) . until we reach Game 4, a security game 
of the BB84 protocol. 


5.1. Definition of the security game and the basic strategy of our proof 
As the hrst step, we dehne the following game. 
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Game 1 (Gl): Security game of the E91 protocol. 

(i) (Input of the initial state) Charlie receives from Eve an initial state 6 

with and each forming a space of A^' := n + l^rap photon 

pulses. 

(ii) (Selection of samples and measurement bases) 

(a) Charlie selects Ismp pulse pairs randomly, label them as sample pulses: 
4mp C {1,..., and announces it to Eve. 

(b) For all sample pulses i G /smp, Charlie selects basis pairs {cA,i, CB,i) G 
{(z, z), (z, a:), (x, z), (a:, x)}, each with probability 1/4. 

(iii) (CHSH test) Charlie measures sample pulses i G Jsmp using operator (cA,i)<8) 
Mf (cs,j). The results are recorded as {rA,i,rB,i) G {±1}^. Then he calculates 
the CHSH parameter S using jrai and flT8|) . and if it is less than Sq, he 
announces to Eve that the protocol is aborted. 

(iv) (Measurement of the sifted key) Charlie measures each sifted key pulse i G Jsif = 
-fsmp = {1, ■ ■ ■ 5 N'} \ hinp, using Mf{z) 0 I'®, and obtains a sifted key U of n 
bits. Then he outputs the resulting state 


This game varies from Protocol 1 in four points: 

i) Alice’s and Bob’s procedures are all performed by a single substitute player, Charlie. 

ii) For pulses that are neither samples nor sifted key, basis choices and measurement 
results are omitted. 

iii) Charlie does not measure Bob’s sifted key pulses. 

iv) Charlie does not reveal basis choices of sample pulses, syndrome Usyn and hash value 
/cor(w) to Eve, and keeps them secret. 

It is straightforward to see that the hrst three modihcations do not affect the output 
state nor the minimum entropy H ^^„ {p^^^\VE). On the other hand, the fourth 

modihcation can affect p^^^, since it erases some information available to Eve through 
public communication V, which is related with sifted key U as well as basis choice of 
sample pulses. In order to compensate the effect on H ^-^„ {p^^^\VE) due to this lack of 
information properly, we borrow results of Ref. [25] and prove the following lemma. 

Lemma 5 For an arbitrary initial state p^^^, we have 

HiAp'Sf\VE) > HiAp'S'AVE) - 24„p - i.,p - log2 (32) 

•^cor 

Note that this is an example of inequality fl30|) . The proof of this lemma is given in 
Appendix C 
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By borrowing the argument of Ref. [24], we may assume, without loss of generality, 
that input pulses of Alice and Bob are all qubits. 


Lemma 6 (c.f., Ref. [24], Lemma 1) It is not restrictive to suppose that Eve sends 
to Alice and Bob a mixture pab = 0 Poi,pPa ,/3 o/ two-qubit states, together with 
a classical ancilla (known to her) that carries the values a, (3, and determines which 
measurements M^{ca) and M^{cb) are to be used on pa, 0 . 


A proof sketch of this Lemma is given in Appendix D For the complete proof, we ask 
the reader to see Ref. [2l], Section 2.4. 

This lemma states that, there is no loss of security (i.e., H^ia_{p^^^\VE) does not 
increase), even if we restrict ourselves to the case where Eve generates a two-qubit state, 
accompanied by random variables a, /?, which are then measured by Alice and Bob using 
operators M^{ca), M^{cb). With a suitable choice of bases, M^{ca), M^{cb) can be 
expressed as Z^, Z^, X^, given in Eqs. (IT^ . flA.2p . with a, (3 being complex 
numbers satisfying |a| = \(3\ = 1. Thus the security of Game 1 can be reduced to that 
of the following game. 


Game 2 (G2): (Qubit-based security game of the E91 protocol with 
uncharacterized detectors) 

Same as Game 1 except 

(i) (Input of the initial state) 

(a) Eve selects complex numbers f3i (|aj| = \(3i\ = 1) for i G {1,..., A^'}, 
and announces them to Gharlie. 

(b) Eve generates a state p^^^ G ® ® "H®, with each of and 

consisting of N' qubit spaces, and gives it to Gharlie. 

(iii) (GHSH test) Gharlie measures all i G Amp projectively using operators 

Z^ ® Z^, Z^ ® X^. ® Z^, X^. ® Xp. according to basis choices (cf, cf) = 

{z, z), {z,x), {x, z), {x,x). The results are recorded as {rf,rf) G {±1}^. Then 
he calculates the GHSH parameter S using flT7|) and fflSj) . and if it is less than 
Sq, he announces to Eve that the protocol is aborted. 

(iv) (Measurement of the sifted key) Gharlie measures each sifted key pulse i G Aif = 

Amp = {1, • • •, A^^} \ Amp by using , and obtains a sifted key U of n bits. 

Then he outputs the resulting state p^^^. 


and we have the following lemma. 
Lemma 7 Eor an arbitrary initial state 


min77min(PG^^I^^) < min Rmin(Pm ^1''^^)- 


UVE\ 


( 33 ) 
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Unlike Alice and Bob in the actual E91 protocol, Charlie in Games 1 and 2 does not 
reveal basis choices of sample pulses to Eve. Hence, performing projective measurements 
using operators Z^<ZX^, X^ZiZ^, X^ZtX^ in Step 4 in Game 2 (according 

to randomly chosen c^, cb G {x, z}) is equivalent to performing a measurement using a 
POVM 

M„,^(±1|CHSH) := ^ (I^ 0 F ± M„,^(CHSH)) , (34) 

where 

M„,;3(CHSH) := ^{Z^ ®Z^ + Z^®Xf (35) 

+ X^®Z^ -X^® Xf). 

It is straightforward to verify that Ma^^(CHSH) can be diagonalized as 

M„,s(CHSH) = 5^ a (|All'I'P{>I';l + \v\\K){K\) (36) 

a=dil 

where parameters p, v are dehned by 

/i(a,/5) = ^(1 + a +- a/3), (37) 

z/(a,/3) = ^(1 + a +/3* - a/3*), (38) 

and vectors 1$^^)} are the Bell states dehned by 

|4<y> = ® (|0,>3|0,)» ± |^|l,)^|l,>'') . (39) 

(lO.)!!.)® ± ■ («) 

Note here that parameters |/i|, |z/| satisfy 

+ = h (41) 

and thus |/r|, |z/| < 

Note that POVM measurement Mq,^^(± 1|CHSH), dehned by fl34)) . is equivalent to: 
a) performing projective measurement Mq,_/ 3 (CHSH) to obtain a result G {±|p|, ±|i/|}, 
and then b) adding to it a noise factor G {±1 ± |p|, ±1 ± |z/|} chosen locally by Charlie 
by a certain probability distribution. The projective measurement Mq,^^(CHSH) can 
further be decomposed as: a-1) performing the Bell state measurement, and then a-2) 
outputting ±|p| when are measured, and ±|z/| when 1$^^). 

Hence, as a result. Game 2 can be rewritten in the following equivalent form: 


Game 2’ (G2’) : Same as Game 2 except 
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(iii) (CHSH test by POVM Ma^^(±l|CHSH)) Charlie performs the Bell measure¬ 
ment on each sample pulse i G Jgmp using the basis {|^^/), 1‘h^.^)}. If he mea¬ 
sures he outputs Si = b with probability |(1 -\-ab\fii\), where a, 6 G {±1}, 

and if he measures 1$“^, he outputs St = b with probability ^{1 ablui]) . 

If the average S = (/smp)~^ Sie/smp below the threshold value S'o, he 
announces that the protocol is aborted. 


In this game the noise factors {±1 ± |/ii|, ±1 ± |z/j|} occur independently for each 
pulse i with a probability independent of Eve’s attack, so their perturbation to the 
average S converge to zero rapidly with sample pulse number = |/smp| oo. Hence 
the average S can be replaced with the average of measurement results {±|/rj|, ±11/*!} 
obtained by measurement Mq,.^^.(CHSH) up to a negligible error probability. That is, 
for a new game defined as follows: 


Game 3 (G3): Same as Game 2 except 

(iii) (CHSH test by projective measurements with Mq,_^(CHSH)) Charlie measures 
each sample pulse i G Jsmp projectively with the basis and 

outputs Si G {±|/ri|, ±11/^1} respectively. If the average S = {lsrap)~^ 
is below the threshold Sq — 6S, he announces that the protocol is aborted. 


we have the following lemma: 

Lemma 8 


mm 

„ABE 


S' 


= exp(-4mp(^5')V48). 


The proof is straightforward, and is given in Appendix G 


(42) 

(43) 


5.4- Bipartite squash operation 

The CHSH test of Game 3 still depends on parameters a and (d, chosen arbitrarily 
by Eve. Our next step is to eliminate this a, /9-dependence by converting them to a 
measurement consisting only of the usual Pauli operators X, Z. For this purpose, we 
introduce a bipartite squash operation, corresponding to Ma^^(CHSH). 

Theorem 2 For any a,(3 satisfying m there exists a squash operation satisfying 

fI^ {Z^ (g) F) =Z^(Z, I^. (44) 

(l + (V^ - 1)X^ G > 2M„,/3(CHSH), (45) 
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The proof of this theorem is given in Appendix E 
Condition 


guarantees that sifted key U has the same probability distribution 
whether Fa^js is applied or not. It is an equality between POVM elements, as used in 
the previous formalism of the 1-partite squash operation. On the other hand, condition 
(H5l) deviates the previous formalism in that it is a relation between observables, not 
POVMs, so we elaborate on it and justify its use below. 

The CHSH test of Game 3 is equivalent to checking 

^ ^ > 2(^0 - (46) 


I 


smp 




Suppose now that Charlie performs the CHSH test using • •) on the l.h.s. of (05]), 
instead of 2Ma,/3(CHSH) on the r.h.s., without changing the threshold Sq — 6 S. Then 
the test condition (06|) becomes changed to 

1 + (^2 _ ® > 2{So - 5S). (47) 


I 


smp 






r 


It is easy to see that any input state that can pass the CHSH test (061) always 

passes the new test (071) because of (05]) . In this case we say that the new test (07]) is 
weaker (06]) . 

More generally, we say that the CHSH test using observable Mi is stronger (weaker) 
than that using M 2 , whenever Mi < M 2 {Mi > M 2 ) and they share the same threshold 
value for S. In this terminology, we can prove that a stronger CHSH test results in an 
equal or larger minimum entropy FI^\^{p^^^\VE). Recall that we assume memoryless 
detectors, and thus sifted key U and sample bits S belong to different vector spaces 
(different sectors of tensor product). In this case the CHSH test works as a hlter that 
transforms an input p^^^^ to the output p^^^. Hence if the same state p^^^^ 
CHSH-tested using observables Mi < M 2 , the resulting states satisfy < P 2 

which leads to H^i^{pY^^\VE) > H^i^{pY^^\VE) due to the property of the minimum 
entropy. A more rigorous argument is given in Appendix F 


IS 

UVE 


We advance our game transformation further by applying this argument to Game 
3. By replacing condition (06]) of Game 3 with (07j) . we obtain the following gamef^ 


Game 4 (G4): Same as Game 2 except 
(i) (Input of the initial state) 

(a) Same as Game 2. 

(b) Same as Game 2. 

(c) Charlie applies squash operations to qubit pairs i G {!,..., N} given 
by Eve 

^ In Game 4, we divide — \)X^' G X^') of (071) into two steps: in Step (i)(c) 

and the X^^ (PX^' measurement in Step (iii). We made this division so that the transition from Game 
4 to 5 in the next subsection becomes transparent. Note that this division does not affect the argument 
of this subsection, since it preserves the relation between inputs and outputs of Game 4. 
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(iii) (Phase error measurements by operator (8) X^) Charlie measures sample 
pulse i G Jsmp using operator X^^ (g) X'®* and obtains results t* = ±1. He 
announces that the protocol is aborted whenever 


1 

smp 


i^Isinp 


So-SS-\ 
1 1 
v/2 2 


(48) 


Due to fl4S]) . the CHSH test condition of this game, fl47)) . is weaker than that of Game 
3, (I46|) . Hence for the same input state , the minimum entropies after the CHSH 

tests of each game satisfy Hm^T^ (pQ^^\VE) > H^ij^{pQ^^\VE). From this we obtain the 
following lemma: 

Lemma 9 


mm 

pABE 


HiS(.p'PP\VE) > mm <4= (pgr'*IrS) 


(49) 


Now the whole quantum operation performed by Charlie in Step (El) of Game 
4 can be regarded as a bipartite squash operation. Thus we can apply the same 
argument as in Section 12.21 and reduce this game to the following one where there 
is no squash operation. Also, by noting that the phase error rate of samples is 
given by p = | ~ 4mp~^ X)ie/smp condition fl48|) is equivalent to 

p < (1 + \/2) (~ {Sq — j. Hence, for the following game. 


Game 5 (G5): Same as Game 2 except 


(i) (Input of the initial state) Eve generates a state p^^^ G ® ® 'H®, with 

each of 1-L^ and 'H'® consisting of N' qubit spaces, and gives it to Charlie. 


(iii) (Phase error measurement using X (8)X) Charlie detects phase errors of sample 
pulses i G Jsmp using operator X^ ® X^, and aborts the protocol whenever the 
phase error rate p satishes 


p < (1 + \/2) 



(^0- 



(50) 


we obtain the following lemma. 

Lemma 10 


mm 

pABE 


> mmi/44'(pgr'*|V'B). 


(51) 


5.5. Calculation of the key generation rate 

Since Game 5 is equivalent to the BB84 protocol, by applying the existing security 
proofs of the BB84 protocol P ESj EHl ET], we can bound Hf^(^{pQ^^\E) from below. 
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For example, by using a simple formula derived in [27] for the finite length case, we 
obtain the following lemma. 

Lemma 11 The output of Game 5, satisfies 

> n (^1 - h ((1 + x/2) - (So - SS)j + (52) 

Proof: We follow the gedankenexperiment approach used in the security proof of 
[27] . Suppose that Alice and Bob perform x basis measurement on all the squashed 
qubits, and denote Alice’s measurement result by W and Bob’s by W. Then their 
maximum entropy is bounded by the threshold Qtoi of phase error rate of sample bits 
as 

A^x(w■|^n)<»A«..l + A) 

— nil ^(1 + 

with /i dehned in (j26il . Combining this inequality with the uncertainty relation for 
smooth entropies derived in |3l] 

+ H:2HW\W') > n, (64) 

we obtain the lemma. Here we used the notation H’f^(^{U\VE) = ■ 

5. 6. Proof of Lemma 

By combining Lemmas (5] [T] [HlIHl HH] and HH we obtain Lemma 01 

6. Conclusion 

We proposed a generalization of the squash operations involving multi-partite 
measurements, and demonstrated that it allows us to prove the security of a wider 
class of QKD systems than previously possible. In particular, we applied our method to 
prove the device-independent security of the Ekert 1991 (E91) protocol, and improved 
the key generation rate. 

Note that for the conventional formalism of the 1-partite squash operation, there 
are explicit counterexamples, such as the one given in Lemma [HI Hence our result on 
the device-independent E91 protocol is a concrete evidence that our approach indeed 
allows one to apply the squash operation to a wider class of protocols or detectors than 
previously possible. 

We do not yet know how wide it will eventually be. Neither do we see any explicit 
limitation. In this sense, possible future directions would be to investigate whether 
the techniques developed here can be applied to the cases where detectors are not 
memoryless, and to where two way classical communications are used for post processing. 
It is also interesting to reinterpret the existing security proofs of partially device¬ 
independent or device-dependent protocols (e.g.. Refs. [35l [36]) using our method, 
and to develop them further. 




(So -SS))+^^ 


(63) 
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Appendix A. Notation of the Pauli matrices 


Throughout the paper, we use the ?/-basis repersentation of the Pauli operators 
represented as 


X = 


0 -i 
i 0 


Y = 


1 0 
0 -1 


Z = 



(A.l) 


These Pauli matrices are the same as those used in most papers and textbooks, except 
that they are represented in the y-basis: \by) = ^ (|0^) + (—l)^z|l 2 )), b G {0,1}. One 
can recover the usual forms by rewriting them in the 2 ;-basis l^^)- 

We also introduce the generalized X operator, parametrized by a complex number 
a satisfying |a| = 1, as 


= 


0 a 
a* 0 


(A.2) 


Note that this interpolates between X and Z: X = X_i, Z = Xi with i = \/—1. 


Appendix B. Proof of Lemma [2] 

Consider the following intermediate protocol: 


Protocol 1’ (PRl’) : Intermediate protocol using squash operation. This is same 
as Protocol 1 except 

(i) Eve generates quantum state and sends its sub-states in and 'H'®, 

each consisting of N tensor products of to Alice and Bob, respectively. 
Alice and Bob then apply squash operation F and stores the resulting qubit 
states in and 'H'®. 

(iii) Same as Protocol 2. 


All operations in Protocol 1’ are identical to Protocol 1. The only difference is that 
the measurements performed in Step 3 of Protocol 1 are divided into two steps, the 
squash operation F of Step 1 and qubit measurements Uc of Step 3. Hence we have the 
following relation: 

nsif,pRi = Hsif^pRi/ . 


(B.l) 



Multi-partite squash operation and DIQKD 


24 


Next by definition, we have 

nsif,PRn(p-"'''') = n,if,pR2((Ftot <8) (B.2) 

-^tot = {^ FA,i) ® Fbj). (B.3) 

* 3 

That is, inpntting to Protocol 1’ is eqnivalent to applying sqnash operation 
on first and then inputting the resulting state to Protocol 2. Hence we have 
min (p^^^lVE) 

= (n3if,PRi \VE) 

= mm (n3if,PRP \VE) 

= min iPn.in(n3if,PR2((Ftot O I^){p^^^)\VE) 

min PP^i„(n,if,pR 2 (p^®'')|^^) 

pABE = (^Ftot&^)(pABE) 

> minPP^in(nsif,PR2(p^^'')|HE) (B.4) 

pABE 

= mmH^tMm\VE), (B.5) 

where the minimum on the fifth line is over all p^^^ for which there exists p^^^ satisfying 


Appendix C. Proof of Lemma [5] 

We divide the random variable V describing the public information available to Eve in 
the E91 protocol into two parts; Vi describing basis choice of sample bits, syndrome Vgyn 
and hash value /cor(w), and V 2 describing all the remaining part . Then by using Eq. 
(3.21) of Ref. [25], and noting that Vi can be described in 2/smp + Isyn + log 2 ^ bits, 
we have 

HiAp'SfWE) = Hr,(,F™\ViV^E) 

> Hijfil™\V^E) - 24„p - 4yn - log, 2_. (C.l) 

^cor 

By noting that E 2 is a classical random variable, and by slightly modifying Lemma 3.1.9 
of Ref. [25] , we have 

HL3p'S:M\V^E) > Hi-„Xf,’Sf\V^E) = Hi„XfPPP\VE). (C.2) 

From fIC.ll) and flC.2l) . we obtain the lemma. ■ 


Appendix D. Proof of Lemma [6| 

We give a proof sketch of Lemma El For the complete proof, we ask the reader to see 
Section 2.4 of Ref. [23]. Also keep in mind that we here only discuss Alice’s detector, 
because the proof for Bob’s detector can be given in exactly the same way. 
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First, we show that (Alice’s) POVM measurements M(r|c) (c G {x, z}, r G {±1}) 
can be rewritten as projective measurements in a Hilbert space, augmented by an ancilla 
(see, e.g., [37]). 


Lemma 12 (Implicit in the proof of Lemma 1 [24]) Given POVMMc^±i : 

{±1} satisfying 

M(+l|c)+ M(-l|c) = forcG{a:,4, (D.l) 

there exist an ancilla f G PL^' and projection operators P(r|c) in PL^ ® Pi^' satisfying 
M{r\c){p) = P{r\c){p ® f) 


for an arbitrary p G PL^, and 

P(+l|c) + P(—l|c) = ioTce{x,z}. 


(D.2) 

(D.3) 


Proof: By using the completeness relation fID.ip for M^, and the equivalence of 
POVM and general measurements (see, e.g.. Section 2.2 of [37]), we see that, for each 
basis c G {x, z}, there exists an ancilla fc and projection operators P(r|c) in Pi^ ® PP, 
satisfying M(r|c)(p) = P(r|c)(p®^c) for an arbitrary state p G PL^. Then by letting 
^ = ix® ^zi P{r\x) = P{r\x) ® P and P{r\z) = P{r\z) ® P, we obtain the lemma. ■ 
Hence Game 1 can be rewritten in the form where Charlie prepares ancillas f for 
all detectors, and then measures the initial state p^^^ together with ^ using projections 
P(r|c) satisfying flD.3p . We further modify this game such that f is prepared by Eve, 
instead of Charlie, and call it Game 1’. In this case, the value of minimum entropy 
minpABB realized in this modihed game, is never larger than in Game 

1, since Eve has a larger choice of p^^^. Additionally, Game 1’ can also be considered 
as a limited case of Game 1 where Charlie’s measurements are P(r|c). Thus, as long as 
our goal is to bound minpAss Pinin(p^^'®| VP) from below, there is no loss of generality 
in assuming that Charlie’s detector are projections P(r|c) satisfying flD.3p . 

By introducing operators := P(+l|c) — P(—l|c) for c = x,z, this condition can 
be rewritten as for which the following lemma can be applied. 


Lemma 13 (Ref. [24 ]. Lemma 2) Let A^ and Az be Hermitian operators with 
eigenvalues equal to ±1 acting on a Hilbert space Pi of finite or countable infinite 
dimension. Then we can decompose the Hilbert space PL as a direct sum 

H = (D.4) 

such that dim('H^) < 2 for all a, and such that both A^ and Az act within that is, 
if 1-0) e Pil, then A^jif) G Pi\ and Az\'ip) G 

Hence operators A^ as well as P(r|c), can all be block diagonalized to two-qubit 
subspaces labeled by a. Hence P(r|c) can be decomposed as a projective measurement 
that specihes subspace a, followed by qubit measurements performed in PH. This means 
that the index a may be considered as a classical variable conveyed from Eve to the 
legitimate player. This concludes the proof of Lemma (6] 
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Define an operator 

Af;^(CHSH):=M„,4CHSH) + 2H|>I';‘>{'I';‘|+2|(/||4;‘)(4;‘|. (E.l) 

It is straightforward to show that it satisfies 

M^^^(CHSH) > M„,/3(CHSH). (E.2) 

and that it can also be written as 

Af;^(CHSH)= 5^ (wi»r,){»;i + i>'ii4:>«i) 

a=ibl 

_ + W-M yA g yB 

2 2 

As the coefficients satisfy (|/r| + \v\Y + (|/r| — \v\Y = 2(|/ip + |z/p) = 1 and |/i| + \v\ > 
|/i| — |z/|, the operator M^^(CHSH) can further be rewritten using an angular parameter 


|0(a, (3)\ < 7r/4 as 

M;_^(CHSH) = ^ (cos 0(a, (3)1^^ + sin 0(a, (3)Y^ ® Y^) . (E.3) 

Then by noting that Inequality (ITSD is equivalent to 

(1 + V2) - 2M„,^(CHSH)) + Fl p{X^ ® X^) > 0, (E.4) 

and by using (IE.2p . we see that Inequality fl4^ holds if 

:= (1 + x/2) (1 - 2M;^(CHSH)) + Flp{X ® X) (E.5) 

= (1 + \/2) ((1 - cos 0)1^^ + sin (j)Y^ ® Y^) + ® X) > 0. 

Hence, in order to prove Theorem [2l it suffices to construct satisfying fl44|) and 
A > 0 explicitly. For that purpose, it suffices to construct satisfying (14T|) and 

Flf,{X^®X^) = aY^®Y^, (E.6) 

a = — Sign(sin0) X min(l, (1 + \/2)| sin0|), (E.7) 


where Sign(sin0) = ±1 according to the sign of sin0. Note that |a| < 1. 

One can indeed construct F^^p satisfying flE.6p and flE.7p . e.g., by i) applying 90 
degree Z rotation to both A and B so that X^ ® X^ —)■ (g) E^, and then ii) 180 

degree Z rotation to B only so that Y^ ® Y^ —)■ —E^ (g) E^, with probability (1 — a)/2. 
Note that fl4T|) holds automatically since only Z rotations are used. > 0 can be 

verified as follows: If | sin0| < 1/(1 + \/2) then A = (1 + \/2)(l — cos0)I^^ > 0. On 
the other hand if | sin 01 > 1/(1+ x/2), we have 


A = (1 + \/2)(l — cos0)1^^ + ((1 + \/2)| sin 01 — l)Sign(sin 0)E^ ® Y^ 
> (1 + \/2)(l — COS0) — ((1 + \/2)| sin0| — 

= (1 + \/2)(\/2 — COS0 — I sin0|)I^^ > 0. 


(E.8) 
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Appendix F. Stronger Bell test does not decrease the smooth minimum 
entropy 


Here we will prove a lemma, whose meaning can be ronghly stated as: If one replaces 
one’s Bell test measnrement with a stricter one, then the minimnm entropy of the state 
after passing it becomes larger. This may sonnd obvions intnitively, bnt we give a proof 
for the completeness of onr presentation. 

We begin by dehning exactly what we want to prove. Let Qi and Ri be two Bell 
measnrement operators, dehned for each pnlse pair i G Ismp] Qi and Ri may vary 
depending on i. Assnme that absolnte valnes of their eigenvalnes are bounded from 
above nniformly by a constant M > 0 which does not depend on i, and that they satisfy 

Qi < Ri for any i e Rmp- (F.l) 

Dehne their averages to be Q := /smp~^ Sie/smp ^ Xlie/smp then we also 

have 


Q<R. (F.2) 

Hence the Bell test nsing Q is stricter than that nsing R, when the same threshold S is 
nsed. 

Also consider a projection operator Pq that ontputs 1 when the projective 
measnrement Q ontpnts a valne larger than or eqnal to S, and ontpnts 0 otherwise. This 
operator, Pq, works as a hlter that erases the inpnt state whenever the Bell measnrement 
Q ontpnts a valne smaller than S. Pr is also defined in the same way as the filter that 
erases the inpnt whenever R ontpnts a valne smaller than S. 

With these operators, the state after the Bell test by operator Q is represented as 

(F. 

where 


= (I 


u 


Pq 0 0 Pq 0 (F.4) 

The state after the Bell test R, i.e., , is also defined by replacing snbscript Q in 

fira . (iRili with R. 

In this setting, we want to prove that the minimum entropy of p^^^ (state after the 
stronger Bell test) is not smaller than that of Pq^^ (state after the weaker Bell test). 
This can be stated exactly as follows: 


Lemma 14 Under the above setting, operators Pq, Pr commute with each other and 
satisfy 

Pq < Pr- (F.5) 

The smooth minimum entropy of the corresponding states p^^, Pq^^ satisfy 


(F.6) 
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Proof: Let Vq;,, Vpn, {h G {0,1}) be the eigenspace of Pq. Pr associated with 
eigenvalue b. If there exists a state |V’) G Vqi fl Vrq, |'0) 0, then we obtain an 

inequality S < {'ip\Q\'ip) < {'if\R\'ip) < S—SS, with S'—(fS* being the largest of eigenvalues 
of R that are smaller than S. But this is absurd so Vqi fl Vpo = {0}, which implies 
[Pq, I — Pr] = 0 and thus [Pq, Pr] = 0. Hence Pq, Pr are simultaneously diagonalizable, 
and fIF.Sjl follows immediately from flF.2|) . 

Since [Pq, Pr] = 0 and (IF.Sp , Pq = PqPr holds, so 

= (F ®Pq® ® Pq ® (F.7) 


By noting that Pq is a completely positive map, we can apply the date processing 
inequality (|38], Theorem 5.7) to Pr^^^, and obtain fIF.bp . ■ 


Appendix G. Proof of Lemma |8] 

We hrst prove the following lemma, and then use it to prove Lemma [HI 

Lemma 15 Denote random variable S in Game 2’, Game 3 by S'g 2 G S'gs respectively. 
Then 

Pr[|^G2'-^G3|>5^]< y, (G.l) 

where 

y :=exp(-4„p(5^)V48). (G.2) 

Proof of Lemma [75l' Denote random variable s* of Game 2’, Game 3 by SG 2 ',i, SG 3 ,i 
respectively, then Sn = 4mp~^ ^Gn,i for n = 2', 3. Also dehne a random variable 

4 := ’SG 2 ',i —■SG 3 ,i, then it follows that their expected value is zero: (4) = 0 for Vi G Rmp- 
One can also verify easily that 4,4 different pulse pairs i,j are independent from each 
other, and that their differences satisfy |4 — 4-i| < 2(1 + y/2). Thus we can apply the 
Azuma-Hoeffding inequality (see, e.g.. Theorem 12.4, [33]) to their average, 5 g2' — S'g 3 , 
and obtain the lemma. ■ 

Proof of Lemma O' By using Lemma [15] and by noting that the Bell test 
measurements of Game 2’ and in Game 3 commute with each other, we have 

+ Ap^^^ < pg3^^. (G.4) 

By using flG.3|) and by dehnition of smooth min-entropy, we have HfV (pg^-^jl/P) > 
PmmiPG 2 '^ + Ap^^^\VE). By using flG.4p and the data processing inequality ([38]. 
Theorem 5.7), we also obtain P4 jj(pq^® + Ap^^-^IHP) > P4jj(pgf^|l/P). Gombining 
these two inequalities, we have (pgg'^| VE) > P4n(PG3^|G.E). ■ 
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